Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodejs/node
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v18.17.0
Choose a base ref
...
head repository: nodejs/node
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v18.17.1
Choose a head ref
  • 6 commits
  • 383 files changed
  • 4 contributors

Commits on Jul 18, 2023

  1. Working on v18.17.1 

    PR-URL: #48694
    @danielleadams
    danielleadams committed Jul 18, 2023
    Configuration menu
    Copy the full SHA
    6378377 View commit details
    Browse the repository at this point in the history

Commits on Aug 8, 2023

  1. deps: upgrade openssl sources to quictls/openssl-3.0.10+quic1 

    PR-URL: #49036
Reviewed-By: Rafael Gonzaga <[email protected]>
    @nodejs-github-bot @RafaelGSS
    nodejs-github-bot authored and RafaelGSS committed Aug 8, 2023
    Configuration menu
    Copy the full SHA
    2c5a522 View commit details
    Browse the repository at this point in the history

  2. deps: update archs files for openssl-3.0.10+quic1 

    PR-URL: #49036
Reviewed-By: Rafael Gonzaga <[email protected]>
    @nodejs-github-bot @RafaelGSS
    nodejs-github-bot authored and RafaelGSS committed Aug 8, 2023
    Configuration menu
    Copy the full SHA
    fe3abdf View commit details
    Browse the repository at this point in the history

  3. policy: disable process.binding() when enabled 

    process.binding() can be used to trivially bypass restrictions imposed
through a policy. Since the function is deprecated already, simply
replace it with a stub when a policy is being enabled.

Fixes: https://hackerone.com/bugs?report_id=1946470
PR-URL: nodejs-private/node-private#460
CVE-ID: CVE-2023-32559
    @tniessen @RafaelGSS
    tniessen authored and RafaelGSS committed Aug 8, 2023
    Configuration menu
    Copy the full SHA
    d4570fa View commit details
    Browse the repository at this point in the history

  4. policy: handle Module.constructor and main.extensions bypass 

    Signed-off-by: RafaelGSS <[email protected]>
PR-URL: nodejs-private/node-private#417
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1960870
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2043807
CVE-ID: CVE-2023-32002,CVE-2023-32006
    @RafaelGSS
    RafaelGSS committed Aug 8, 2023
    Configuration menu
    Copy the full SHA
    15bced0 View commit details
    Browse the repository at this point in the history

  5. 2023-08-09, Version 18.17.1 'Hydrogen' (LTS) 

    Notable changes:

Following CVEs are fixed in this release:

* CVE-2023-32002: Policies can be bypassed via Module._load (High)
* CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
* CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
* OpenSSL Security Releases
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html

PR-URL: nodejs-private/node-private#463
    @RafaelGSS
    RafaelGSS committed Aug 8, 2023
    Configuration menu
    Copy the full SHA
    2e414d5 View commit details
    Browse the repository at this point in the history
Loading